b'OIG Audit Report 01-05\nReview of Department of Justice Internet Sites\nReport No. 01-05\nMarch 13, 2001\nOffice of the Inspector General\nIntroduction\nInternet sites can be powerful tools to inform the public about federal government activities and programs.  These sites raise privacy concerns when they use "cookies", a primary method of compiling information and data about Internet users, to track the activities of users over time and across different sites. 1\nAs a result of recently passed legislation, we are required to determine whether Department of Justice (DOJ) Internet sites or third parties working for the DOJ collect personally identifiable information from users that access DOJ Internet sites.  Our review consisted of reviewing information provided by DOJ officials and limited testing of cookies for the DOJ Internet sites.  We did not perform detailed tests to verify the information contained in the documentation.  Thus, this report and the associated work was not performed in accordance with Government Auditing Standards (GAS), but was performed as an "other activity of an audit organization" pursuant to GAS 2.10.\nCriteria\nOffice of Management and Budget (OMB) Memorandum M-00-13 (June 22, 2000), Privacy Policies and Data Collection on Federal Web Sites, stated that "cookies" should not be used at federal Internet sites, or by contractors operating the sites on behalf of agencies, unless there was clear and conspicuous notice; a compelling need to gather the data; and appropriate, publicly disclosed safeguards for handling "cookie"-derived information.  In addition, the memorandum stated that the agency head must personally approve the use of "cookies."\nThe recently enacted Treasury and General Government Appropriations Act, 2001 (H.R. 5658, Section 646) (The Act) requires the Inspector General of each department or agency to report to Congress:\nany activity of the appropriate department or agency relating to--\nthe collection or review of singular data, or the creation of aggregate lists that include personally identifiable information, about individuals who access any Internet site of the department or agency; and\nentering into agreements with third parties, including other government agencies, to collect, review, or obtain aggregate lists or singular data containing personally identifiable information relating to any individual\'s access or viewing habits for governmental and non-governmental Internet sites.\nMethodology\nIn response to the OMB memorandum and The Act, we assessed DOJ written guidance related to web development and privacy policies, and prohibitions pertaining to collecting, reviewing, or obtaining data regarding individuals using DOJ Internet sites.  In addition, on January 4, 2001, we tested the 56 DOJ Internet sites listed on the DOJ\'s Alphabetical List of Components with Internet Sites (see attachment) to determine whether the DOJ or third parties were collecting personally identifiable information related to any individual\'s access or viewing habits on the sites.  To conduct our testing, we:\nSet the Internet browser to warn us if "cookies" were being sent, and we cleared the "cookie" log to ensure that the only entries were those from our test.\nEntered two sites known to set "cookies," msn.com and cnet.com, to ensure that the browser warning worked properly and the log recorded the "cookies."  In both cases the browser warned us that cookies were being sent to our computer and asked whether we wanted to accept them.  We accepted them.\nExamined the "cookies" log and, in both cases, the "cookies" were logged.\nEntered the 56 DOJ Internet sites to determine whether they would send "cookies" to our computer.\nResults\nDOJ Internet sites tested were not collecting, reviewing, or obtaining personally identifiable information relating to any individual\'s access or viewing habits at the time we tested the sites for "cookies."  For all 56 DOJ Internet sites tested, we were neither warned nor asked to accept DOJ or third party "cookies," and, upon examining the browser\'s "cookies" log, found that no DOJ or third party "cookies" had been recorded.\nCurrently, DOJ organizations with Internet sites certify quarterly in writing to the Assistant Attorney General for Administration that they comply with OMB Memorandum M-00-13.  This policy, as stated earlier, restricts but does not prohibit the use of "cookies."\nHowever, we found no DOJ written guidance related to The Act\'s prohibition on collecting, reviewing, or obtaining personally identifiable information relating to any individual\'s access or viewing habits on DOJ Internet sites.  While The Act did not specifically cite "cookies" as the prohibited method, many commercial Internet sites use "cookies" to do just that when a user accesses their site.  Currently, DOJ organizations with Internet sites are not certifying to The Act\'s prohibitions on collecting, reviewing, or obtaining personally identifiable information relating to any individual\'s access or viewing habits on DOJ Internet sites.  Rather, they are merely certifying to OMB Memorandum M-00-13\'s restricted use of "cookies."  In our judgment, the current DOJ certification process should be expanded to include The Act\'s prohibition on collecting, reviewing, or obtaining personally identifiable information relating to any individual\'s access or viewing habits on DOJ Internet sites.\nAppendix\nAlphabetical List of DOJ Components with Internet Sites Reviewed for "Cookies"\n1\tAmerican Indian and Alaska Native Affairs Desk (OJP)\n2\tAntitrust Division\n3\tAttorney General\n4\tBureau of Justice Assistance (OJP)\n5\tBureau of Justice Statistics (OJP)\n6\tCivil Division\n7\tCivil Rights Division\n8\tCommunity Oriented Policing Services - COPS\n9\tCommunity Relations Service\n10\tCorrections Program Office (OJP)\n11\tCriminal Division\n12\tDiversion Control Program (DEA)\n13\tDrug Courts Program Office (OJP)\n14\tDrug Enforcement Administration\n15\tEnvironment and Natural Resources Division\n16\tExecutive Office for Immigration Review\n17\tExecutive Office for U.S. Attorneys\n18\tExecutive Office for U.S. Trustees\n19\tExecutive Office for Weed and Seed (OJP)\n20\tFederal Bureau of Investigation\n21\tFederal Bureau of Prisons\n22\tForeign Claims Settlement Commission of the United States\n23\tImmigration and Naturalization Service\n24\tINTERPOL -- U.S. National Central Bureau\n25\tJustice Management Division\n26\tNational Criminal Justice Reference Service (OJP)\n27\tNational Drug Intelligence Center\n28\tNational Institute of Corrections (FBOP)\n29\tNational Institute of Justice (OJP)\n30\tOffice of the Associate Attorney General\n31\tOffice of the Attorney General\n32\tOffice of Attorney Personnel Management\n33\tOffice of Community Dispute Resolution\n34\tOffice of the Deputy Attorney General\n35\tOffice of Dispute Resolution\n36\tOffice of Information and Privacy\n37\tOffice of the Inspector General\n38\tOffice of Intelligence Policy and Review\n39\tOffice of Justice Programs\n40\tOffice of Juvenile Justice and Delinquency Prevention (OJP)\n41\tOffice of Legal Counsel\n42\tOffice of Legislative Affairs\n43\tOffice of the Pardon Attorney\n44\tOffice of Policy Development\n45\tOffice of Professional Responsibility\n46\tOffice of Public Affairs\n47\tOffice of the Solicitor General\n48\tOffice for State and Local Domestic Preparedness Support (OJP)\n49\tOffice of Tribal Justice\n50\tOffice for Victims of Crime (OJP)\n51\tTax Division\n52\tU.S. Attorneys\n53\tU.S. Marshals Service\n54\tU.S. Parole Commission\n55\tU.S. Trustee Program\n56\tViolence Against Women Office (OJP)\nFootnotes\n"Cookies" are small software files placed on computers without a person\'s knowledge that can track their movement on an Internet site.  Essentially, cookies make use of user-specific information transmitted by the Internet server onto the user\'s computer so that the information might be available for later access by itself or other servers.  Internet servers automatically gain access to relevant cookies whenever the user establishes a connection to them, usually in the form of Internet requests.'